Listener Feedback #193

Transcription

1 Page 1 of 35 Transcript of Episode #466 Listener Feedback #193 Description: Leo and I discuss the week's major security events and discuss questions and comments from listeners of previous episodes. We tie up loose ends, explore a wide range of topics that are too small to fill their own episode, clarify any confusion from previous installments, and present real world 'application notes' for any of the security technologies and issues we have previously discussed. High quality (64 kbps) mp3 audio file URL: Quarter size (16 kbps) mp3 audio file URL: SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We'll talk a little more about ios security, and then he's going to answer your questions. A lot of conversation about cloud storage and that kind of thing. Stay tuned. A really interesting Security Now! is up next. Leo Laporte: This is Security Now! with Steve Gibson, Episode 466, recorded July 29th, 2014: Your questions, Steve's answers, #193. It's time for Security Now!, the show that protects you and your loved ones online. And here he is, the security chief, the Explainer Extraordinaire, Mr. Steven Gibson. It's good to see you, Steve. Steve Gibson: Great to be with you again, as always. Our last podcast of July, coming into August. Leo: We referred a little bit to you on MacBreak Weekly again this week because of our conversation about Jonathan Zdziarski's OS 8 or OS 7 security issues. And I think everybody has concluded that you are exactly right in the degree to which you worry about those security issues. Steve: Yeah, exactly. In fact, I have a little follow-up this week, both on that and canvas fingerprinting. A big errata fix, which is my comment that I'm sure you saw this, too, you must have received tweets and things, that ios 7 had not been jailbroken.

2 Page 2 of 35 Leo: Yeah, I should have stopped you on that one. Steve: Well, and Jonathan did write that; but, as I commented, his paper was about 10 months old. And in fact that was his comment, was that it wasn't until he created the PowerPoint presentation and did an actual presentation that anyone noticed what he had written back in October of So anyway, so that was old news. And so to everyone who tweeted me, thank you for the correction. And that's corrected. Leo: Although as Rene Ritchie was pointing out, the jailbreak is the bigger security flaw. I mean, if you're going to really talk about security issues, the fact that you can jailbreak it is a huge security issue; right? Steve: Yeah, although that, as I understand it, that's still, I mean, it requires the user themselves to jump through all kinds of hoops in order to make that happen. It's not like... Leo: It's nontrivial, yeah. Although there have been single-button jailbreaks. Steve: I always think that, I mean, and this is like me, saying it ought to just be something you can do. Leo: Yeah. Steve: You know? It ought to not be this cat-and-mouse game between the consumer who owns the device and Apple who is fighting them over control. If the consumer knowingly says, "I want freedom," they ought to be able to just press a button and get it. Leo: Well, of course that's how it is on Android. There's a checkbox that says, is it okay to buy stuff from third-party stores? You check that box. They warn you there's a risk inherent, and then you just do it. Steve: Yeah, and there's something you press, like, seven times, too, isn't there? Leo: Yeah, but you don't need to do that to jailbreak an Android device. It just is a setting. Jailbreaking on the iphone only really does one thing. It allows you to buy from somebody besides Apple, buy apps or download apps. Steve: Well, and it also, well, or to install apps other than from the curated, controlled environment. Leo: That's it, yeah. And so that's a checkbox in Android. There is other stuff, yeah.

3 Page 3 of 35 You can turn on developer mode by tapping something seven times. And then many Android phones, but not all, can be rooted. Which is really more for people like us who understand computers, that's getting... Steve: Who know what the word "root" means. Leo: Yeah, superuser permission, you know. Steve: And if you don't know what that is, you should not do it. Leo: You shouldn't do it. Steve: No. Leo: But that's, to me, that's the clear and distinct difference between ios and Android. And if you want that, you should use Android. Right there. Boom. Steve: Yeah. Leo: Seems risky, though. Steve: I heard you mentioning also that Samsung, despite their massively heavy advertising, is not the Android device you should buy. You were liking the HTC? Leo: I like - I currently use an HTC One, but there are many good choices, including, if it were easier to get, I'd probably recommend this very inexpensive but very nice OnePlus One phone. It's only 300-some bucks. And it's a really nice, state-of-the-art phone. Steve: And there was just a, was it a law passed? Or, no, I think it was - didn't Obama sign an executive order? Leo: He hasn't signed it yet. It is a law that both the House and Senate have passed. And the reason - this is that says that you have the right, a legal right to unlock your phone after you've had it for the contract period. It's come and gone. It was, I think it was the Librarian of Congress that said you could do it, and then... Steve: Yeah, and where did that - how did they get their feet in there? I thought, Library of Congress, what?

4 Page 4 of 35 Leo: They're responsible for copyright and trademark and IP protection. I know, isn't that weird? It's just weird. The whole world is weird. The U.S. world is weird. Everybody in Europe's going, wait a minute, you don't have - wait a minute. What are you saying? In Europe, it's not only legal, it's required that the carrier unlock the phone. Steve: Well, and I love the idea of the freedom that that would create. After you've fulfilled your contract, and you're not happy with... Leo: Well, of course. You bought this hardware. You should be able to run it any way you want. Steve: And it's not cheap. I mean, it's seriously expensive stuff. I mean, Apple's rolling in cash. Leo: So AT&T's done this for a while and allowed customers to do this for a while. And now it's required that everybody offer it. Well, soon as President Obama signs it. Steve: Will be, yeah. So just to follow up on the ios security thing, after, or maybe it was the afternoon or the morning, anyway, it was just after last week's podcast. And I was saying last week, Apple needs to respond. And as of last podcast, they had not. And of course they, as I was saying it, they were posting their response. Which was just to sort of assert their position, which was that the three main issues that Jonathan had were there for legitimate purposes. Now, he then of course defended his position, as we would expect him to do, just because it's a position, and it's his, saying "I'm still not happy." And it's like, well, okay. We're going to probably not agree to disagree, we're just going to disagree. But so Apple did what I expected. And Ars Technica continues to report this back-and-forth. And so Dan Goodin, who covers these things, covered the story that Apple responded and Jonathan wasn't happy. And down in the comments there was one that I liked. Someone posting as TheShark wrote: "I'm trying to get upset over this latest 'revelation,' but somehow I just can't. Take the pcapd capability, for example. Why should I be worried that a computer which I've already configured to sync my phone with and which is on the same WiFi network can activate pcapd on my phone? That computer is almost certainly in a position to run pcapd locally and capture the WiFi traffic if it wanted. There's no reason to think that pcapd on the phone is going to see traffic that the computer can't. "It's the same thing with most of the other data which is accessible. A computer which I've chosen to sync with can actually access my contacts, my photos and other data which I want to sync? This is a concern why? I can imagine some app developers getting worried that authentication tokens which they don't sync and don't want users to be able to directly access might now be available, but it's also easy to imagine how useful it would be in debugging your app to get access to those files as well. Sorry, Jonathan, but I'll be more impressed when you find an actual backdoor. This seems far more like a useful tool than a nefarious one to me." And, I mean, that restates it, I think, pretty well. So, I mean, but this is the way the security business works. And as I said, I'm not unhappy that Jonathan did this. Apple needs to know that their work is being scrutinized

5 Page 5 of 35 and that we're all just not sheep following them and accepting everything that they say. For example, they're still arguing that imessage is secure. And we absolutely know that it's not; that because they are the curator of the certificates, and there's no visibility at all into the certificates that we're receiving from them, which we're using to sign our messages to its recipients, nothing prevents them from slipping one of their own in. And we sign that, and they're able to tap our imessage. So, but again, this kind of analysis is what we need. I found, thanks to a listener, a site which demonstrates canvas fingerprinting, Leo, and you should go there: browserleaks.com/canvas. So it's And it does nothing without scripting on. But now scroll down, and you will see that it has found your fingerprint. See that green checkbox back up a little ways, right kind of there in the middle, right where that - yeah, there. So what this did was it just fingerprinted your browser using canvas. Leo: Is this any different from that we talked about, I don't know, two years ago, this kind of... Steve: No, actually we did talk about this two years ago. It suddenly bubbled back up with these inflammatory headlines. Leo: Because of Gizmodo. They made a big deal about it in Boy Genius Report. Steve: The unstoppable tracking technology. Leo: But we've known about - we've talked about this for years. Steve: So but the reason I wanted to come back to it again was to correct the record. If you look there, it says 1,847 unique signatures, not 64. So last week in the research report from the guys that found this and developed the technology, in their analysis they found it was less than six bits' worth of identification from that. But they had a relatively small sample size. Browserleaks.com has been there looking at all visitors for a long time. It just - it's looked at me. Now it's looked at you. And it's looked at everybody else who's gone there. And 1,847 is the number. And that's about effective binary bits, or a little less than 11 bits. So that's certainly - which is to say that any of this technology running on anyone's browser that has scripting enabled, and I forgot to highlight that last week, this is all client-side, and it's done by someone injecting some JavaScript onto the page that your browser dutifully renders, and then it sucks that off, makes a hash, and sends it back to the tracking mothership. But I just wanted to say that it turns out it's not - you're not put into one of 64 or something bins. It's 1,847. So that's substantially better. But on the other hand, that's certainly not identifying you on the Internet. And so this still is far from being unique. It's one more thing that can be used. But it does require scripting. Unlike cookies, for example, that's part of the underlying plumbing of web browsing, this is script-based hack, and so users have a little more control over it. Oh, and I also found out that a lot of people are already blocking that site, the one, I can't remember, it's "all" something, that I mentioned last week, that's

6 Page 6 of 35 like the king of the injecting of canvas [addthis.com]. Everybody knows about it and has been blocking it for a while. So, yes, this has been around. And as you said, Leo, Gizmodo got headlines and upset everybody. Leo: What a surprise. Steve: Yeah. It was funny, too, I saw - it didn't make it into the Q&A. Leo: Bait from Gawker, what a shock. Steve: It didn't make it into the Q&A. But somebody, along the same lines, was commenting how his sister was going, I think to China for a few weeks, sort of to be a missionary, and left her laptop home at some inconvenience to her because of that horrible reporting that was done during the Olympics in Russia. Remember where, and we talked about this on the show, the claim was that within minutes of crossing the border, hackers had taken over all of your electronic devices. And as we know, it was just - it was a horrible story, meaning that it was contrived, and in fact in order to have your Android phone taken over - they may have even jailbroken the phone and installed or turned off things or installed malware or something. I don't remember the details. But the point was it so scared people that it changed their behavior, unnecessarily frightening them from the conveniences that they would otherwise enjoy. On the other hand, she probably did take her smartphone, even if she left her laptop behind, and arguably that's as vulnerable as a laptop, if not more so. Great news from Open WhisperSystems. WhisperSystems we've talked about for years. This was the company that Moxie Marlinspike founded, which we also reported was acquired by Twitter toward the end of And shortly after that their first product, which was Android-only, that RedPhone, essentially the RedPhone service was disconnected after Twitter's acquisition. But then it was released as free open source and became available again. What's then happened is that the so-called Open WhisperSystems project, which sort of has continued to live as a free and open source project, has continued to develop this technology, all free, all open source. And I think it was this morning, I think this is very fresh news, they just announced the release of Signal, which is their free encrypted voice system for the iphone. So what they said in their blog was: "Secure calls are just the beginning. Signal will be a unified private voice and text communication platform for iphone, Android, and the browser. Later this summer, Signal for iphone" - which is now available and free download and also open source and beautifully designed, and based on well-proven robust security protocols - "Signal for iphone will be expanded to support text communication compatible with TextSecure for Android. Shortly after, both TextSecure and RedPhone for Android will be combined into a unified Signal app on Android, as well. Simultaneously, browser extension development is already under way." And I forgot to mention that Signal on the iphone is compatible right now with RedPhone on Android. So we now have the two premier phone platforms supported by essentially a single, cross-platform, truly secure voice communication system. And they'll be adding text to Signal, which will be also compatible with TextSecure. And then they'll essentially be merging TextSecure and RedPhone on the Android platform under the Signal name.

7 Page 7 of 35 So in a few months there should just be Signal for both iphone and the Android platform. And the price is right. It's free. So for anybody who has - first of all, RedPhone has been Android-only until now. It's now available for the iphone in the form of Signal. And later they'll be sort of formally amalgamating them. So that's good news for anybody who wants absolute security. I spent enough time with it to look at it and see that they really did things right. So I'm really pleased that they now have the iphone platform, as well. And there was just the announcement of sort of a troubling vulnerability, although it was responsibly disclosed, which means that Google knows about it and has already patched the problem and scanned the Play store to make sure that nobody's taking advantage of it. This was a presentation that will be made at next week's Black Hat conference. And the press has picked it up, and so it's in the headlines today because that's another thing that just happened. And it's being called the "Fake ID" vulnerability. That's the name that was given by Bluebox Security. And Jeff Forristal is the chief technology officer of Bluebox, who will be giving the presentation at next week's Black Hat conference. And again, Dan Goodin in Ars Technica reported this immediately with a headline that said: "Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 at Risk." And then there's just the first couple lines, or the first one line of his report. He wrote: "The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read , and access payment histories and other sensitive data, researchers have warned." Okay. So here's what happened. Apparently something broke, and this was with the v2.1 of Android, which was released in January of And what happened was somewhere along the way certificate chain verification was broken in Android. Now, this is different than revocation, which never existed in Android, still doesn't. But the idea with the chain, and we've talked about this often, I mean, the whole point of a security certificate chain is that you have a trusted root, and it signs another certificate, which may sign another certificate and so forth until you get to sort of the client certificate. And the point is that that certificate, it asserts its signer, and we hope that that assertion is verified. It turns out for the last four and a half years Android has not been checking the signatures on the certificates, and nobody noticed. So the reason this is important is that there are privileged applications in Android which are trusted to bypass the application sandbox. For example, Adobe's Flash is allowed to act as a plugin for any other application installed on Android devices, presumably to allow it to provide animation and graphics services to them. We know how that works. Or, for example, Google's Wallet has privilege to access the NFC hardware, which normal apps can't because you need to be trusted in order to do that. So Flash has a certificate, which is signed, which allows Android to trust Flash. And, by the way, that certificate is unique to Flash. And the fact that Flash is carrying it with that certificate, is carrying that signed certificate, is recognized by Android and gives Flash extra privileges that other apps don't have. Similarly, there is a certificate specifically for Google Wallet, which allows it to have access to the NFC hardware. Well, it turns out no one is checking to see whether those certs are actually validly signed. So anyone can spoof those. Any malware can simply carry those certificates. And, for example, if it carried a Flash certificate, even though the signature was invalid because it couldn't get that certificate signed by an actual authority, if Android doesn't check the signature, then it doesn't matter. So it turns out that this has been true for four and a half years.

8 Page 8 of 35 So in talking to the press, Jeff Forristal, the CTO of Bluetooth - of Bluebox Security, sorry, said all it takes is for an end-user to choose to install a fake app, "and it's pretty much game over. The Trojan horse payload will immediately escape the sandbox and start doing what evil things it feels like, for instance, stealing personal data." Or, of course, observing everything that the user is doing. So Google responded and said: "We appreciate Bluebox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP." And I didn't look up that acronym. You know what that is, Leo? Leo: Android Open Source Project. Steve: Ah, perfect. Leo: So it means more than that. It means the manufacturers of Google-approved Android devices, any of the Android devices that have the Play store on it or AOSP handsets. Steve: Good. And then, just finishing... Leo: Actually, wait a minute, nope, take it - might be wrong. I think AOSP is the opposite. It's the Android Open Handset Alliance - oh, it's so confusing. Anyway, it's the other Android folks. Steve: Well, you've got the acronym right. Leo: I know the acronym. Steve: Even though we don't know who they are. Leo: But the acronym doesn't tell you exactly what it is because Google's obfuscating it. Steve: So, and then Google said: "Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play, as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability." And so the good news... Leo: Yeah. And so if they gave it to OEMs, that's the Handset Alliance people. And then giving it to AOSP means they put it on the open source server so that people

9 Page 9 of 35 who make nonofficial Google Android devices can also patch it. So everybody, in other words, who's using Android. AOSP is like... Steve: So there is a Google bug. It's been given the Google bug And Bluebox Security has put a scanner up in the Google Play store. I imagine you can find it. I've got the link in the show notes. But it's Bluebox Security Scanner. And it will scan your machine to verify that it has been patched for this problem. And the good news is this is - it's not like one of those things where the application - malware could be hiding some behavior which, for example, yep, there it is on the screen, and it's a free download, so anyone who's interested or curious or worried, a Bluebox Security scanner in the Google Play store. But the point is this is easy to scan for because it's a security certificate that the application has to have and has to present in order to get these privileges. So it's simply a matter of Google running through, like knowing this is a problem, and running through all the apps to verify affirmatively the signatures on all of the certs that they carry. So... Leo: Just to be clear, you don't need this to fix your problem. This is just to see if you ever got bit. Steve: No, no. Actually, I think it's - from the notes it says that it checks to verify that you are no longer vulnerable. That is, that your Android device has been patched through the patching process. Leo: I think it's also highly likely that, see, Google has its own scanner, which they keep up to date on Android. And it's highly likely they fixed that, as well, at the same time. So that scanner goes through every app you download and checks for known vulnerabilities. So I imagine... Steve: Is that the Verify Apps that they talk about? Leo: Yeah, yeah. Steve: Okay. Yup. Leo: And they update that easily. So my suspicion is you've got that already. So I don't know... Steve: Yeah, and Verify Apps they said has been enhanced. Leo: Yeah. See, the blue people - Bluebox is a business. This is a product. They don't charge you for it. But they would like to get - it's like Lookout. They would like to get it on your system.

10 Page 10 of 35 Steve: Yeah. Leo: Yeah. Now checks for the Fake ID vulnerability, but it's always been checking for other things, as well. Steve: Well, you know, I was thinking about this. I mean, it's good that they found this. And I think it'll make an interesting presentation. And they did the right thing by disclosing responsibly. The sad thing is that it sort of takes the teeth out of their whole presentation that it's like, well, we found this, and it's been fixed, so nobody has to worry about it. Leo: Now you know why people hold onto these and don't tell Google or Apple. Steve: Yeah. Leo: But they did the right thing. Please do the right thing. Steve: Yes, they did. Leo: Even if it takes the teeth out of your presentation. Steve: Yeah, well, because the problem is this one in particular is so bad that if this were, for example, a zero-day discovery, it would be really bad. If we found it being used rather than them discovering the problem, that would be a whole different deal because it would just take time to push out the change and get everybody to respond. And there would be people hurt in the meantime. This way nobody was hurt. But it's a lot less exciting. Sometimes that's a good thing. Okay. Speaking of exciting, or maybe not, I'm not sure, we have the final volley in this pretty much ridiculous back-and-forth between Verizon and Level 3. And so I want to discuss it for two reasons. First of all, additional information about the way they feel about this issue, the peering bandwidth issue, comes out in this. And we get a conclusion. So now we're back to - last week we talked about Level 3's response to Verizon's first volley. And so now we have David Young again from Verizon, responding to Level 3's response from last week. And he makes some good points, I think. I'm not taking sides. I'm interested in sort of the technology still, and understanding, like, how they're thinking about this. So David Young's posting from Verizon called it "Level 3's selective amnesia on peering." And what's interesting about this, and we'll get there in a second, is you and I, Leo, talked about the Level 3/Cogent problem, and it affected me because my T1s are on Cogent bandwidth, and GRC's famously - and there I said the word, only once - in the Level 3 datacenter. So I was cut off from my own servers when they had that peering battle.

11 Page 11 of 35 Leo: Wow. Steve: Anyway, so and you may remember, it was a few years ago, I couldn't get... Leo: Oh, yeah, yeah, I do, yeah. Steve: I couldn't get to GRC because Cogent and Level 3 were fighting. So David Young writes: "Last week Level 3 decided to call attention to their" - okay, now, again, the wording is of course loaded - "call attention to their congested links." It's not our congested links, it's Level 3's congested links, even though they just interconnect each other's routers. So I'm not sure why it's Level 3's links that are congested. Seems to me it's both... Leo: Ehhh, it's like when your wife says, "Your son is in trouble again." Mm-hmm, mm-hmm. Yeah. Steve: Exactly. So "Level 3 decided to call attention" - and actually, no, I would argue that Verizon called attention. Leo: Yeah, who started this. Steve: With, as you keep pointing out, the bright red - the only part of the network diagram that was red in Verizon's original posting, as you properly note. So "call attention to their congested links into Verizon's network." Okay, so that's important, as we'll see in a minute. So he's saying: "...Level 3's congested links into Verizon's network. Unlike other content delivery networks, which pay for connections into ISP networks to ensure they have adequate capacity to deliver the content they have been hired to deliver" - and again, remember, this is certainly partisan - "Level 3 insists on only using its existing settlement-free peering links, even though, as Level 3 surprisingly admits in their blog, these links are experiencing significant congestion. Level 3's solution? Rather than buy the capacity they need, Level 3 insists that Verizon should add capacity to the existing peering link for additional downstream traffic, even though the traffic is already wildly out of balance." So there again we get this, you know, all of this seems as if Verizon's saying these are Level 3's links because they are in this data flowing into Verizon's network. And then we also get this notion that, from Verizon's viewpoint, what a content delivery network pays ISPs to do is to accept their bandwidth to ensure, as David writes, they have adequate capacity to deliver the content they've been hired to deliver. So, and this notion of wildly out of balance, which I've been talking about as we've been looking at this. So continuing, David says, "Level 3 has been on the other end of these peering disputes in the past," which we know is true. "In 2005, they found that Cogent was in violation of their peering agreement. Explaining the situation in a press release describing the dispute," and he provides the link, "Level 3 said, 'Free peering, also referred to as settlement-free peering, is a contractual relationship under which two companies'" - and this is Level 3 in 2005, referring to their dispute with their Cogent - "'under which two

12 Page 12 of 35 companies exchange Internet traffic without charging each other. In order for free peering to be fair to both parties, the cost and benefit that parties contribute and receive should be roughly the same. For example, Cogent was sending'" - and this is "was," so that means this was posted after Level 3 broke the links, essentially, cut off the peering relationship. "'For example, Cogent was sending far more traffic into the Level 3 network than Level 3 was sending into Cogent's network. It is important to keep in mind that traffic received by Level 3 in a peering relationship must be moved across Level 3's network at considerable expense. Simply put, this means that, without paying, Cogent was using far more of Level 3's network, far more of the time, than the reverse. Following our review, we decided that it was unfair for us,' says Level 3, 'to be subsidizing Cogent's business.'" And then David says: "Level 3 informed Cogent that they would be terminating their peering agreement unless Cogent made alternative arrangements." And then back to Level 3's statement at the time: "'We then contacted Cogent's senior management to offer to discuss alternative commercial terms to allow the continued exchange of traffic. Cogent refused.'" So then David says: "Level 3 put the onus squarely on Cogent for failing to make alternative paid arrangements for the benefit of customers to handle the unbalanced traffic as other firms had." And then back to Level 3: "'Those firms chose to enter into agreements, either with Level 3 or others, to obtain the appropriate connectivity and keep the interests of their customers paramount.'" And then David writes: "Summing up their position, Level 3 said" - and this is the last Level 3 statement. "'To be lasting, business relationships should be mutually beneficial. In cases where the benefit we receive is in line with the benefit we deliver, we will exchange traffic on a settlement-free basis. Contrary to Cogent's public statements, reasonable, balanced, and mutually beneficial agreements for the exchange of traffic do not represent a threat to the Internet. They don't represent a threat to anyone other than those trying to get a free ride on someone else's network.'" And then finishing, David says: "So what has changed for Level 3? Unfortunately, they are now the one 'trying to get a free ride on someone else's network' and failing to 'keep the interest of their customers paramount.'" And finally David at Verizon says: "Fortunately, Verizon and Netflix have found a way to avoid the congestion problems that Level 3 is creating by its refusal to find 'alternative commercial terms.' We're working diligently on directly connecting Netflix content servers into Verizon's network so that we can both keep the interests of our mutual customers paramount." So anyway, some additional - so there's some intriguing ideas here, that is, that the way these top-tier providers feel is incoming traffic is a burden that they're carrying on behalf of their peering partner. And as I said, I've experienced this myself. When I was setting up my servers in Level 3's datacenter, they wanted to know what my own, just my own little piddling ratio of incoming to outgoing traffic was because, of course, it all adds up. If everyone that they were hosting was only serving and not receiving, then there would be an imbalance created by that datacenter, to some degree, before it has a chance to get diffused. So I think there's validity to this. I don't think these people have conducted themselves very well, just yapping at each other publicly. But I think, as I hoped we would, we learned something about the way these relationships operate at the high end. And I got a better sense for what I was looking for, which was what is this about balance? Why is that important? And this explains it.

13 Page 13 of 35 I got an interesting piece of feedback from GRC's HTTPS Fingerprinting page. Everyone will remember I pulled that system together, brought it online, I don't know now, maybe six or more - maybe more like a year ago because it was certainly before I started working on SQRL. And that's been going for a while. Anyway, a G. Evans used the Fingerprinting Feedback page to say, "In your paragraph about machine-resident interception," meaning client-side interception, "you can add Avast antivirus to the list. There is an innocuous settings checkbox that says, 'Scan secure connections,' with no other explanation. Sounds like a good idea, until I read your Fingerprints page in Firefox and noticed the lack of a green label in the address bar for GRC. When I hovered over the lock symbol, it said 'Verified by Avast' as opposed to 'Verified by DigiCert.' Oops. I immediately turned off that option in Avast, and now it's back to normal." So I'm not sure that's a problem. It requires that you trust Avast. But essentially what that means is that, when this G. Evans, or presumably anybody, installs Avast, it's also putting its certificate in your - I assume this is on a Windows machine - in the OS's root store so that your browser will trust certificates that it signs. And then... Leo: That's kind of not good behavior. Steve: I know. And this is what - but the problem is, without doing that, the antivirus system can't scan your traffic. It would have to do it after the traffic were decrypted. And there's probably not a good way to get a shim in there. So what it's doing is... Leo: You can always do the man in the middle. Steve: Well, it is. It's a man-in-the-middle attack. I mean, that's what it is. And of course the problem is, if somebody got their certificate, or actually if somebody - let's see how this would work. If somebody reverse-engineered Avast and pulled the certificate... Leo: Yeah, I mean, you're trusting Avast, basically. Steve: Yeah. But my point is, I have to think this through, but I think that means anybody could get a hold of - a bad guy could get Avast and extract the certificate from it. And if they knew you were using Avast, then they could move the man in the middle outside of your machine. I don't see anything preventing them from doing that. Leo: Ooh, that's not good. Steve: No. That's scary, actually, because what Avast is doing is they're - when he went to GRC, GRC's certificate was sent to Avast, and Avast minted their own fake GRC.com certificate and signed it, and then sent it on to the browser. So the browser thought it was connecting to GRC with a secure connection, when in fact you had a man-in-themiddle attack, well, a man-in-the-middle presence, not an attack in this case. And you weren't actually getting my certificate from DigiCert. You were getting Avast's certificate that was like a fake GRC.com certificate they had just...

14 Page 14 of 35 Leo: That should always be a red flag. That's terrible. Steve: Just, yeah. And so... Leo: Do other antiviruses do this? Or security programs do this? Steve: Yeah. I've heard of others doing it. We know that appliances do it. And now here's an instance of Avast doing it. I'm trying to think of the other one. Leo: Does McAfee do it? Steve: I don't think so. I'm wondering if Kaspersky does it. I think maybe it's the one that does it. But, you know, we trust the Russians, so... Leo: Yeah, of course. Why not? Steve: That's right. Okay, now, Leo. The other day - we're now in Miscellany. I've got three things to talk about. I saw you guys running the whole "Building the Brick House" at high speed. Leo: Yeah. Steve: And I thought it was so neat. Leo: Yeah. Three years ago John made a great time lapse of that, had the foresight. Steve: He did. Now, okay. But at one point toward the end, everybody is moving around like their hair's on fire. And... Leo: The tables change shape. Steve: Oh, it was wonderful. Leo: It's a party. We had a party. Steve: And the control booth appeared, then it disappeared, then it came back, then disappeared. Then it spun around, and then it disappeared and came back. And it was, you know. Anyway, it's hard to stop watching it. It's mesmerizing. But it was just - it looked like a science fiction movie because, I mean, bzzzzzzzzz...

15 Page 15 of 35 Leo: It's so cool. Steve: Everyone buzzing around. But at one point the camera position was slowly moving. I don't mean it was rotating. Leo: No, I know what you're talking about. Steve: It was moving. How did you do that? Leo: It's a special proprietary trick. No, it's called a "slider." So they have like an I- beam with a special, very, very, very slow platform that moves. Steve: With a clockwork motion. Leo: Clockwork, exactly. And you put your camera on that. It's designed for time lapses because obviously it has to move extremely slowly. So it moves... Steve: Right, and that's what puzzled me is it was smooth. But I thought, wait a minute. Someone, like, I didn't know if you were going up, stop-frame animation, and somebody was moving it. But it didn't look like that. It was really smooth. And but for it to be done in time lapse - okay, there it is. Yup. Leo: In fact, if you watch "House of Cards" - do you watch "House"... Steve: You went to all the trouble of - oh, of course. Leo: Okay. Watch the beginning of "House of Cards" next time you watch the show because they have a wonderful title sequence which is all time lapses of Washington, D.C. Steve: Yes, yes, yes. Leo: And many of them are done with a slider. So they slowly move as the time lapse is going. It's a wonderful effect. And, yeah, if you're not paying attention, it just looks really cool. And obviously most people don't because you've seen that "House of Cards" opening many times. Steve: But them, it's like, well, of course, okay. But you guys...

16 Page 16 of 35 Leo: Hey, we, uh, we, uh, we're cool. No, credit to John Slanina, JammerB, because he did a great job. He had the foresight to know that we would want that. What you'll also notice is the camera moves a little bit because we boarded it up at one point. Did you notice that? Steve: I thought I saw, yeah, like some construction guy put a big steel I-beam right in front of it. And I was like, whoops. Leo: Well, where we put it, eventually a wall was going to go. So you see it, and you see the wall come in front of it, and then you have to - we had to move the camera to get around that. Steve: Is this available online for our listeners who haven't... Leo: John, did you put - did you ever put that online, John? Here, let me get John's - did you ever put that online? We probably have it on inside.twit.tv somewhere. Huh? Yeah, give me a link. All right. So he's getting - so, yeah, it's probably on our blog, inside.twit.tv. But I just was there looking for it, and I didn't see it. It's maybe very deep. It's been three years, after all. Steve: For what it's worth, it's absolutely fun. This thing starts with an empty room that doesn't look anything like, well, it doesn't look like anything. And you see them zooming around at warp 10, building this. Leo: Is it on YouTube? Oh, it's on YouTube. Steve: It's got great music. It's got a nice soundtrack. I mean, somebody - it was really well put together. And then there was also - it switched to a time lapse in your office, and we see your office being built with the beautiful wooden cabinetry and everything. Leo: Yeah, I can't believe three years later, and a million and a half dollars later. If you go to YouTube and search for, I'm told, "TWiT time lapse," you will find it. Yeah, there it is, Studio Upgrade Time-Lapse. Only 21 - which one? This one? No, no, that's the old one. So there's a studio upgrade. That's when we put in the new lighting rig in The Cottage. The one you want is the TWiT Brick House Time-Lapse. And for some reason I'm in a Santa Claus outfit at the beginning. Is that the one, John? Am I in the wrong - oh, this is me introducing it, for some reason, again, in a Santa Claus outfit with a fake fireplace where you're sitting right now, Steve. Anyway, yeah, you can see the - I talk a long time, don't I. There we go. Steve: At 1:00 p.m. Oh, there it is, yep. Leo: Yeah. It was, you know, when we came in here, this was an empty - it was an

17 Page 17 of 35 old furniture factory. It was a drugstore for 60 years. A software company was in here for a little bit. We tore out the walls of the cubicles, put glass in because they were not glassed in. My office is glassed in. And you can see the whole process, yeah. It's pretty fun. You can also see the day pass because... Steve: Yes, as the sun is setting. Leo: The sunset, yeah. Steve: You can see it coming through the window. Yeah, oh, there it goes. Leo: Yeah. He cuts out the night stuff because nothing happens all night long. Steve: Very nice. Leo: But you can see the sunset. You're looking from the west, so that's exactly what you're seeing as the sun comes down. It's pretty cool. Steve: That's some - yeah, it's very cool. Leo: I'm very proud of this. This was an amazing project. And there you go. Steve: It's working. I heard you mention "Lucy" on MacBreak Weekly. Leo: Yeah, did you see it? Steve: Absolutely. Leo: Did you hate it? Steve: Eh. I was - I didn't love it as much as I hoped I would. But I was wondering about three quarters of the way through what they could do because it was just so ambitious, that is, in terms of where this was headed. It was like, what is the trajectory going to take them on? I like action, and I like kick-ass attractive girls; you know? And it's, yeah, I did enjoy it. I think for anyone who thinks they would like it, they would probably love it. And if you're not sure, then maybe wait till "Guardians of the Galaxy," which opens this Friday. Leo: I was surprised how poorly reviewed it was. I'm a fan of the director, though.

18 Page 18 of 35 He did... Steve: Yes, Luc... Leo:..."La Femme Nikita," Luc Besson, and "The Fifth Element," which is one of my favorite movies. And I've interviewed him, many years go when he was first starting out. He's a French director. And he's, I think, super talented. Steve: Yeah, no. I really - I loved the Asian super bad guys. And I like that genre of movie. So I thought it was fun. Leo: It's kind of B.S. because I don't think that whole thing about we only use 10% of our brain is really true. But still, it's a good one. Steve: Yeah, yeah. Okay, now, final bit of miscellanea. I wanted to put on people's radar a forthcoming and very exciting next-generation memory technology. We of course have hard drives that we've talked about. We've got static RAM, which is very fast, but has a density limitation because each bit has at least two transistors. You can think of them as inverters that are connected to each other. If you think about an inverter that is something where a one comes in and a zero goes out, or a zero goes in and a one comes out, if you connect that to another inverter and then connect the output of the second inverter back to the input of the first, it's stable. That is, the first one puts out a zero, which makes the second one put out a one, which goes around to the input of the first one that makes it put out a zero. So, and if you did something to force that to change, like you forced the input that was a one going into the first one down to zero, then that first inverter puts out a zero, causing the second inverter to put out a one, and keeps it in that mode. So that's called a "flip-flop." Two inverters back to back, connected to each other, is a flip-flop. So static RAM is just that. It's a huge array of those. The problem is each cell takes up a lot of space because it requires that. So Dynamic RAM is simpler. It's just essentially a capacitor. And the problem with it is that the charge on the capacitor bleeds off, which is why Dynamic RAM needs to be refreshed. The refreshing is a scanning through the entire contents of the RAM to read the cells before they have fully lost their charge, to recharge the ones that were draining. And the advantage of Dynamic RAM is the cell is, although it requires refreshing, it's much smaller than a static RAM. And that means the Dynamic RAM can be much denser. But both the flip-flops connected to each other and the leaky capacitor's Dynamic RAM, they're volatile. You turn the computer off, and they lose their charge. Now, we've talked about the surprising non-volatility of Dynamic RAM. Remember all of the freezing the DRAM with Freon and then quickly taking them out and putting them into a different machine. And it turns out that, if you make them really cold, you slow down the decay rate enough that they will hold their charge long enough to get moved into a different machine and so forth. So that. Now we have non-volatile. And of course that's an often-mentioned topic because it turns out that the density has been increasing. And I've been talking about the technology of non-volatile RAM, essentially how it uses a transistor with a floating gate where the gate

19 Page 19 of 35 is separated by an insulator, and charge is driven through the insulator and stranded out on that gate, but that allows that transistor's state to be read. So that's what all of our current non-volatile solid-state memory is. The new technology - and this is something that popped up on my radar a couple years ago when HP announced they were seeing breakthroughs in it. HP calls theirs a "memristor." And the other term is "RRAM," as opposed to, for example, DRAM is Dynamic RAM. RRAM is Resistive RAM." And there have just been some new announcements of breakthroughs in that which are very exciting. The idea is that this uses the migration of, I think I read silver ions, through essentially a crossbar. Imagine vertical conductive strips on one side, horizontal conductive strips on the other to create a grid, and the intersections are the bit cells. And essentially you can cause the interconnecting resistance to change, and it stays changed. So it is nonvolatile because you have to do something to it, basically drive a current through it in order to force this migration. And once you do, you permanently change the resistance at the intersection. The reason this is exciting is it is a two-terminal solution. Unlike any of the transistorized solutions, which are large, this makes this very dense. And it turns out it is very high performance and has extreme endurance. So, for example, in terms of what we're actually, what they're actually making in the lab now, current flash technology that we have allows about 16GB to fit on a 200mm-square chip. So 200 square millimeters can hold 16GB of current flash technology. Using Resistive RAM, which is working in the lab, they can put a terabyte in the same space as 16GB. So this is shockingly more dense. One company is Crossbar-Inc.com or just Crossbar is the company name. But if anyone wants to look, so named because that's the architecture of this. Oh, the other thing is not only is this technology super dense, but it lends itself to 3D. That is, a stacking of layers. So you can just keep building these crossbars back and forth, back and forth, back and forth, and stack them. And in fact you can build this on top of existing integrated circuits. So, for example, you could take a complex chip like a processor and have all of its real estate there doing its stuff, and then on top of it lay another layer of non-volatile RAM that then interconnects to it in order to create sort of a sandwich. So quoting from Crossbar's page, they said: "With 20X higher performance and 20X lower power than NAND," which is the technology of flash, "and 10X the endurance at half the die size, Crossbar has shattered traditional technology barriers for [the] NOR [and] NAND [style] embedded memory applications and will enable a new wave of electronics innovation for" and blah blah blah, you know, PR stuff. But the technology looks real. HP expected to have it last year and to be commercializing it. But they haven't been heard from for a while. So maybe they're having problems with yield and so forth. Moving this from the lab into commercial production is always challenging. We saw that, for example, when we were talking about the supercapacitors that we were hoping we would have by now, and somehow that seems to have gone on the back burner. But we may be looking at some serious increase in solid-state RAM performance. Leo: Awesome. Steve: And the good news is SpinRite will still be useful, which is why I'm so encouraged. All I will say this week about SpinRite, although I think maybe someone mentions it in the Q&A - I'm not sure, we do talk about SQRL a little bit there - is

20 Page 20 of 35 yesterday at 5:21 in the afternoon, tweeting from Tweetbot for ios, which is my favorite client also, someone named Ron Tyska just tweeted. And he said: SpinRite revived a completely dead SSD, saved me $400. Thanks." So it is really the fact that people, our own customers, began repairing and reviving SSDs with SpinRite that really got me motivated and reinterested in giving it a future because I was little depressed here as the world seemed to be going solid-state. And it continues to seem to be doing that, despite the fact that hard drives of course also continue to amaze us with how inexpensive they're able to create high-end mass storage. But it's clear that the nature of the economics is such, it's always going to be that these devices will be operating on the edge of reliability. They will be reliable enough that they do their job for a few years and then begin to die in some way. And the good news is SpinRite will be there and be able to pull them back. And the other thing I noted was in reading through other people's comments that I don't bother sharing, something I've never said, but I realize the truth of it, is anything SpinRite can fix, it would have prevented. And I think that's absolutely true. Anything it can fix, it would have prevented. Which is a way of thinking about it from a preventative maintenance standpoint. Lots of people use it after it's pulled them back from the grave, and they understand what it does. But if it had ever been used before the drive got into that shape, that would have never gotten into that shape. So that's an interesting way of phrasing it. Leo: That's kind of cool. And that's why it's the world's best disk recovery and maintenance utility. Questions... Steve: Right, and preventative. Leo: And preventative, yes. Questions are ready for you, Steve. Are you ready for questions? Steve: Let's do it. Leo: Let's do it, starting with Adam P. He says: How do they do it? You praised SpiderOak - we should refer people back to that episode of Security Now! where you talk about all the different, or not all, but many different cloud storage solutions [SN-349]. And you did say, in fact, that your favorite was SpiderOak because it's Trust No One. They never have access to a user's private keys. Well, I'm wondering where you got that information. According to this SpiderOak Q&A page, FAQ page, if your hard drive crashes you only need your password to get your data back. Doesn't that mean they have to be storing your private key on their server? And, by the way, this makes their "zero knowledge" claim complete bunk. Steve: Okay. So this was interesting for a couple reasons. First of all, recently Edward Snowden disparaged Dropbox, which doesn't offer TNO security. And he specifically mentioned SpiderOak as what he would use because of their TNO operation.